What is the purpose/meaning of the Version property on a FormsAuthenticationTicket?
What is the purpose/meaning of the Version property on a FormsAuthenticationTicket? ...
security
Does it make sense to set up a trusted relationship between Active Directory instances at partner companies?
Hi, If a company often requires users to be created in a partner's active directory, and vice versa, does it make sense to set up a federated / trusted relationship between the AD instances? If so, what should be considered? Does the ACL for users in the partner AD still work the same way? What security risks does this expose? Thanks! ...
Best practices for control permissions?
Hey all, I need some advice on this... We have certain permissions setup in the database for certain levels of control a user can have over the application. Disabled, ReadOnly and Edit. My question is: Are there more generic/better ways to handle permissions applied to a form element on the page than writing a security method/check pe...
What is the most elegant and efficient way to provide AAA to web services using a WS gateway and LDAP?
Hi, I'm looking for the best way to provide authorization, authentication, and auditing to web services. I'll be using a web service gateway appliance deployed to the DMZ, and there will be an LDAP instance as a user store behind the firewall. How should it be built? Cheers KA Update As pointed out in an answer below, LDAP isn't idea...
How to trace a ASP.NET Security Exception
How can I figure out what is actually causing the following error? The page is the same as other pages but for some reason only this page is having this error. It also only happens on the ISP (GoDaddy) who has a trust level of Medium and I can't set a breakpoint and try to catch it. Server Error in '/' Application. Security Exception D...
Is it secure to submit from a HTTP form to HTTPS?
Is it acceptable to submit from an http form through https? It seems like it should be secure, but it allows for a man in the middle attack (here is a good discussion). There are sites like mint.com that allow you to sign-in from an http page but does an https post. In my site, the request is to have an http landing page but be able t...
Choosing best security option for WCF
We have a project that contains a WCF Service and a few clients that connect to it. Some of them are PCs using NetTcp to connect to the service. Few others run on Windows Mobile Devices(Compact Framework), using BasicHttp to connect. We can't use Windows Authentication, because different PCs use different Windows accounts. How can we sec...
What are the most common, typical things to AVOID coding into my ASP.NET app in order for it to run under Medium Trust on a shared host?
What are the things that Medium Trust stops you from doing? For example, I've already learned that Medium Trust stops you from using System.IO.Path.GetTempPath(). What other things like that? ...
How to find out which account my ASP.NET code is running under?
I am getting an 'Access to the path is denied" error message when running in debug mode. I have tried granting permissions to {MACHINENAME}\ASPNET and to NETWORK SERVICE but this hasn't made any difference. I have also tried < impersonate = true /> using an admin account, this also made no difference. So how do I establish exactly which ...
Recommendations for securing Internet-facing IIS Host?
I'm setting up an Internet-facing ASP.NET MVC application, on Windows 2008. It uses SQL Server 2008 for its database. I'm looking for best-practices for securing it. I found this article, but it's a bit dated now. How much of that advice is still valuable? Some background -- it's a personal site, behind my home NAT/firewall box; and I'...
Hidden Input Field causes potentially dangerous Request.Form value error
In my ASP.NET 1.1 application, I am compressing and replacing the hidden Viewstate variable with an alternate compressed value, stored in a hidden field called __VSTATE. This works well but on a few occasions, submitting a page causes the common "potentially dangerous Request.Form value ..." error. I examined the __VSTATE value and noth...
How does a 7- or 35-pass erase work? Why would one use these methods?
How and why do 7- and 35-pass erases work? Shouldn't a simple rewrite with all zeroes be enough? ...
AccessControlException when attempting to delete a file
We have a java web service application that uses log4j to do logging. An exception gets thrown when log4j tries to delete its rolling log files Exception:java.security.AccessControlException: access denied (java.io.FilePermission /var/opt/SUNWappserver/domains/domain1/ applications/j2ee-modules/ourwebservice/WEB-INF/logs/IMWrapper.log....
Limit file access to specific users in IIS
I'm running an ASP.NET web site on IIS 6.0 (Windows 2003), and the site uses "integrated windows authentication". The IWA configuration is not a must (until now), but is configured anyway. The application pool runs as the "Network Service". Also, in web.config, there's the line "". The problem I'm facing now is that there's a new request...
Why, when I impersonate within a WCF service, can my service not load System.Transactions when I try to run a LINQ to SQL query?
I have a WCF service, hosted in IIS 7.0 that needs to run database queries. In order to get the right permissions to do this I am impersonating within the service as follows: Code [OperationBehavior(Impersonation = ImpersonationOption.Allowed)] public void MyOperation(int arg) Configuration <behavior name="ReceivingServiceBehavior">...
A tidy way to clean your URL variables?
I'm wondering if there is a quick and easy function to clean get variables in my url, before I work with them.( or $_POST come to think of it... ) I suppose I could use a regex to replace non-permitted characters, but I'm interested to hear what people use for this sort of thing? ...
Are there any known HTA file Security Issues?
Are there any known security issues related to running a web application via a .hta file. I am especially interested in the drag & drop issues related to .hta files and frames see: http://sqlblogcasts.com/blogs/jonsayce/archive/2008/01/10/drag-and-drop-problems-in-hta-frames.aspx ...
What is a somewhat secure way of generating a 64 bit signature?
I would like to sign a device, and I have 64 bits to store my signature in the device. This device has a MAC address and some other details (about 30 bytes worth) I can mangle to create my signature. If possible, I would like the method to be one-way, so that I can verify that the signature is valid without knowing how to create a vali...
Tomcat: block requests for certain paths for requests coming from certain interfaces
Is there an open source filter that I can use on Tomcat to prevent access to certain path (say /a/b/*) when the request comes from a given interface? The use case: I have REST services deployed on Tomcat that should only be accessed by the application itself, but which for security reasons should not be accessible from the outside world...
What encryption algorithm does the .net membership provider use?
Hi, I'm looking at the source code for the .net membership provider, and it sqlmembershipprovider.cs there are calls to EncryptPassword and DecryptPassword but I don't see the method anywhere in the source. What algorithm are they using? Isn't the source for that released also? ...